Experts say it’s potentially the largest spying operation against the U.S. in history — and it ran without being noticed for nine months.

It’s not often that the United States Treasury Department and Iowa State University are dealing with the same security problem.
Such is the breadth of whats known as the Solarwinds hack, named after a Texas-based company that was used as a staging ground for an espionage campaign so widespread that experts say were only beginning to understand who was affected and what was stolen. Treasury is trying to figure out how many senior officials email accounts were monitored. Iowa State University has decommissioned servers to check to see if hackers got in.
Around the world, at least hundreds, but more likely thousands or tens of thousands of organizations including companies, schools, think tanks and, notably, every major government agency have been working frantically to see if theyve been affected by the suspected Russian hacking campaign, and if so, how much access the hackers had.
It’s not rare for companies or even government agencies to suffer security breaches. The campaign has drawn some comparisons to China’s 2014 hack of the U.S. Office of Personnel Management, which stored the private information of nearly all government employees, including undercover agents. But experts say the SolarWinds hack is unique in its scope, potentially the largest spying operation against the U.S. in history and it ran without being noticed for nine months.
The issue is, we don’t know how big this is, and at the same time it could be the biggest ever, said Sergio Caltagirone, the vice president of threat intelligence at the cybersecurity firm Dragos, which is currently in the process of helping industrial and manufacturing companies deal with the hacking campaign and its fallout.
Only a handful of organizations, including the cybersecurity company FireEye and three U.S. federal agencies the Departments of Commerce, Energy and Treasury have so far admitted being seriously affected. But the cybersecurity industry is aware of a little over 200 compromises, Caltagirone said, with that number all but guaranteed to grow.
Most organizations still lack the basic visibility to even assess whether they were compromised or not, Caltagirone said. We know we are undercounting the victims here. We know that for a fact.
The campaign is so broad because the hackers pulled off a textbook case of a supply-chain attack. Instead of breaking into individual organizations, many of which have robust cybersecurity measures in place, the hackers widely believed to be Russias SVR intelligence agency, though most Trump officials have only publicly pointed the finger at Russia breached SolarWinds, based in Austin, Texas, a company that has an enormous customer base.
Unlike some of Russia’s noiser agencies, like the FSB, accused of poisoning Russian dissidents, or the GRU, which hacks and leaks material to disparage Russia’s opponents, the SVR is known for its methodical, long-term intelligence gathering operations.
SolarWinds provides software that helps large organizations manage their computer networks, and thus is given automatic permission to be in those networks without raising alarms. In March, the hackers implanted malicious code into the companys regular software updates, the company and a government investigation found, creating a potential backdoor into any of the companys tens of thousands of customers.
While the question of who was affected is still open, SolarWinds said in an SEC filing that it had informed 33,000 customer organizations that they had been infected, and could only narrow their suspected number of actual victims to under 18,000.
While SolarWinds has since released an update of its software, the fact that the hackers had a nine-month head start means that they likely built additional entry points into the networks they deemed important, said Neil Jenkins, the chief analytic officer at the Cyber Threat Alliance, a cybersecurity industry group, and a former senior cybersecurity official at the Department of Homeland Security.
As soon as you get into a network, you’re going to set up other potential backdoors and ways to get in, in case the original way you got in closed, Jenkins said. So just because you closed the SolarWinds intrusion doesn’t mean you’ve solved the problem.
The range of victims even extends beyond SolarWinds extensive customer base. The U.S. Cybersecurity and Infrastructure Security Agency (CISA), which is leading the federal governments technical response to the hacking campaign, has warned that the same hackers may have infected victims by other means besides through SolarWinds.
The hackers lead time and extraordinary access into networks means victim organizations will have to choose between two unpleasant options: spending significant resources hunting through their computers in the hope they can eradicate the hackers footholds, or rebuilding their networks from scratch, said Suzanne Spaulding, the former head of what is now CISA and currently the director of the Defending Democratic Institutions project at the Center for Strategic and International Studies, a think tank.
I think well be at least months trying to figure out the full scope and scale of this, Spaulding said. And at least months trying to recover, trying to get the adversary out or abandon ship and rebuild securely.
This is not an adversary that goes away when detected, she said. They fight to maintain their persistent presence, and well be doing battle, I suspect, for a while.